Skip to content

leak users

Hi,

The Django REST framework leaks the list of users (with emails) through the "collaborators" selector of the HTML competition submission form (bottom of the page https://www.codabench.org/api/competitions/).

Screenshot from 2023-05-22 14-52-30

Edit: Seems it only works when logged in 🙌. The extraction is possible through the GUI "Add collaborator" auto completion feature, but giving out the list like that might not be desired.